Tips & Strategies

Learn the top quick steps, then deepen your knowledge and learn more strategies with key IU resources from Protect IU and the IU Knowledge Base.

Plus, find high-quality training resources available at IU.

Think before you click—Quick steps

1. Recognize

Verify the sender is who you think it is.

How: Double-click or tap the sender’s name at the top of the email to view the real email address. (In Gmail, hover without clicking.) 

Get more help to recognize >>

2. Rethink

If you can't verify the sender, do not click at all.

How: If the email refers to a known website, type that website address into a new browser window instead and check for information there. 

Get more help to rethink >>

3. Report

Suspect it's a phish? Send the alert.

How: Contact your campus UITS Support Center for help on how to report it. 

Get more help to report >>

Note: As of July 24, 2019, all IU email accounts will have external flagging turned on by default. Visit the Security Center for more information. Plus, view the latest Think Before You Click video about external email flagging.

Reveal actual URLs before clicking

Before clicking, make sure you trust the destination of the URL. Some links can trick viewers by having a safe URL as the viewable text, but the actual destination URL is a scam site. Remember the phrase "hover to discover." Here's how:

  • On a desktop computer, to hover on a link, position your mouse cursor over the linked text without clicking on it. This will reveal a small text box that contains the full destination URL. 
  • On mobile devices, the technique to show the URL without opening the destination webpage can vary. Often, it involves a light-pressure long press.

Practice with this link. Hovering should reveal the URL "" in small text at the bottom left of this web browser window.

When you hover in your email, often the full URL will appear in small text right next to the link.

Before you click, always be sure you trust the full URL.

Watch how to outsmart Wolfrid—a wolf in sheep's clothing—by investigating email links. And make sure to work through the tips in this "Rethink" section.

Description of the video:

[ Music ]

>> Hold on. I would rethink this one. If you have not verified the sender, do not click on links in emails at all. If the email refers to a known website, type that website address into a new browser window instead to verify its authenticity. Even for trusted contacts and emails, it's a good idea to hover over the link first without clicking on it. This should reveal a small popup with the actual destination URL. Only click if you trust that revealed URL completely. This email is definitely a phish. So, think before you click. There are even more ways to recognize a wolf in sheep's clothing, but not clicking any links from unknown senders is a good step. Find more tips to recognize, rethink, and report on

[ Music ]

Avoid clicking links in emails

The best solution is to go directly to a known website address rather than clicking links in an email. Instead of clicking links in notification emails, go to the trusted website address and check for notices there. 

Learn more about making sure a website is genuine.


Think critically about the message

Think critically about the way the email is worded and what the request is. Anything urgently requesting action regarding financial transactions or providing sensitive information should be a red flag to investigate carefully.

Get more tips from the Protect IU site on how to analyze messages.

View emails in plain text

Viewing emails in plain text can reveal details that scammers try to hide, including full URLs for all links.

Learn how to view Outlook emails in plain text.

Report the message in Outlook

You can use the built-in reporting features in Outlook to report suspicious email to the IT Security Office.

Report a phishing message in Outlook

Never open attachments from unverified senders

If you can't verify the sender, don't click the attachment. Attachments are a key way that malware and harmful files are sent in phishing attacks.

Watch how catch Wolfrid—a wolf in sheep's clothing—by reporting suspected phishing email scams. And make sure to work through the tips in this "Report" section.

Description of the video:

[ Music ]

>> Good call. This email looks suspicious. If a suspected phishing email targets IU in any way, you can contact the UITS support center for help on how to report it. They will help you get the alert to IU's university information policy office, which can then evaluate the thread and minimize risk for the rest of the IU community. Outlook and student Gmail users at IU can also get a one-click reporting tool that takes care of reporting the phish to the policy office for you. To download this tool, search for PhishMe Reporter on And to learn more ways to report, visit While there are several ways to report a suspected phish, contacting UITS support center is a great way to get started. And if you do accidentally click on a suspected phish, contact the support center right away. So, feel free to squeal. Reporting a suspected phishing scam helps protect the entire IU community. Fine more tips to recognize, rethink and report on

[ Music ]

Contact your IT Pro or the UITS Support Center

If you don't have other means to report quickly, contact your IT Pro or the UITS Support Center.

UITS Support Center contact information


Forward the message to with full headers

Using any major email provider, you can forward the message to with full headers to report a suspected phishing email.

Learn how to forward with full headers
(Instructions for each email client are provided.)

Key recommendations from the IU Knowledge Base

Avoid scams

To guard against phishing scams, consider the following:

  • Indiana University and other reputable organizations will never use email to request that you reply with your password, full Social Security number, or confidential personal information. Be suspicious of any email message that asks you to enter or verify personal information, through a website or by replying to the message itself. Never reply to or click the links in such a message. If you think the message may be legitimate, go directly to the company's website (that is, type the real URL into your browser) or contact the company to see if you really do need to take the action described in the email message.
  • Read your email as plain text.

    Phishing messages often contain clickable images that look legitimate; by reading messages in plain text, you can see the URLs that any images point to. Additionally, when you allow your mail client to read HTML or other non-text-only formatting, attackers can take advantage of your mail client's ability to execute code, which leaves your computer vulnerable to viruses, worms, and Trojans.

  • If you choose to read your email in HTML format:
    • Hover your mouse over the links in each email message to display the actual URL. Check whether the hover-text link matches what's in the text, and whether the link looks like a site with which you would normally do business.

      On an iOS device, tap and hold your finger over a link to display the URL. Unfortunately, Android does not currently support this.

When you recognize a phishing message, first report it as noted below, and then delete the email message from your Inbox, and then empty it from the deleted items folder to avoid accidentally accessing the websites it points to.

To learn more about guarding against phishing scams, see:

Training options to boost your defenses

Take free online courses

Take no-cost online training via IU Expand any time.

Explore online classes

Hold "Think before you click" workshops

Request a "Think before you click" instructor-led workshop with IT Training.

Schedule a workshop

Run practice simulations

Get the PhishMe simulation service for your department.

Request this service